Problem configuring websphere application server behind ingress

问题

I am running websphere application server deployment and service (type LoadBalancer). The websphere admin console works fine at URL https://svcloadbalancerip:9043/ibm/console/logon.jsp

NAME         TYPE           CLUSTER-IP    EXTERNAL-IP      PORT(S)                                                                                                                    AGE
was-svc      LoadBalancer   x.x.x.x   x.x.x.x   9080:30810/TCP,9443:30095/TCP,9043:31902/TCP,7777:32123/TCP,31199:30225/TCP,8880:31027/TCP,9100:30936/TCP,9403:32371/TCP   2d5h

But if i configure that websphere service behind ingress using ingress file like:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress-check
  annotations:
      kubernetes.io/ingress.class: "nginx"
spec:
  rules:
  - http:
      paths:
      - path: /ibm/console/logon.jsp
        backend:
          serviceName: was-svc
          servicePort: 9043
      - path: /v1
        backend:
          serviceName: web
          servicePort: 8080

The url https://ingressip//ibm/console/logon.jsp doesn't works. I have tried the rewrite annotation too.

Can anyone help to just deploy the ibmcom/websphere-traditional docker image in kubernetes using deployment and service. With the service mapped behind the ingress and the websphere admin console should somehow be opened from ingress

回答1:

There is a helm chart available from IBM team which has the ingress resource as well. In your code snippet, you are missing SSL related annotations as well.

• https://hub.helm.sh/charts/ibm-charts/ibm-websphere-traditional
• https://github.com/IBM/charts/tree/master/stable/ibm-websphere-traditional

I have added the Virtual Host configuration for admin console to work with port 443 in the following code sample.

Please Note: Exposing admin console on the ingress is not a good practice. Configuration should be done via wsadmin or by extending the base Dockerfile. Any changes done through the console will be lost when the container restarts.

apiVersion: v1
kind: Service
metadata:
  creationTimestamp: null
  name: websphere
spec:
  type: NodePort
  ports:
   - name: admin
     port: 9043
     protocol: TCP
     targetPort: 9043
     nodePort: 30510
   - name: app
     port: 9443
     protocol: TCP
     targetPort: 9443
     nodePort: 30511
  selector:
    run: websphere
status:
  loadBalancer: {}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: websphere-admin-vh
  namespace: default
data:
  ingress_vh.props: |+
    #
    # Header
    #
    ResourceType=VirtualHost
    ImplementingResourceType=VirtualHost
    ResourceId=Cell=!{cellName}:VirtualHost=admin_host
    AttributeInfo=aliases(port,hostname)
    #

    #   
    #Properties
    #
    443=*

    EnvironmentVariablesSection
    #
    #
    #Environment Variables
    cellName=DefaultCell01
---
apiVersion: v1
kind: Pod
metadata:
  creationTimestamp: null
  labels:
    run: websphere
  name: websphere
spec:
  containers:
  - image: ibmcom/websphere-traditional
    name: websphere
    volumeMounts:
    - name: admin-vh
      mountPath: /etc/websphere/
    ports:
    - name: app
      containerPort: 9443
    - name: admin
      containerPort: 9043
  volumes:
  - name: admin-vh
    configMap:
      name: websphere-admin-vh
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-ingress-check
  annotations:
      kubernetes.io/ingress.class: "nginx"
      nginx.ingress.kubernetes.io/secure-backends: "true" 
      nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  rules:
  - http:
      paths:
      - path: /ibm/console
        backend:
          serviceName: websphere
          servicePort: 9043

回答2:

Exposing both the adminhost and defaulthost via ingress isn't possible, or at least I've never figured out how to accomplish it. The crux of the issue is that ingress listens on port 80 or port 443 and forwards your request to the corresponding port on the container. Thus, the Host header of your request contains that port. I don't know enough about WAS channels/virtualhosts to understand how this works exactly, but in order for accessing WAS endpoints over any port other than the one listed for the endpoint in WAS config to work, the websphere-traditional image has to set a property to extract the port it should use for things like checking against virtualhost hostalias entries and issuing redirects from the Host header (com.ibm.ws.webcontainer.extractHostHeaderPort).

The problem becomes, when it uses that port, that port needs to be listed as a host alias for the virtual host in order for the traffic to be let through to the application. And since a combination of wildcard host and specific port can only be a host alias on one virtual host at a time, they were set up as host aliases on defaulthost so that web applications will work via ingress, but this makes it impossible to also access the admin console since that is served via a separate virtualhost which doesn't (and as far as I know can't) have the host alias entries set up to allow traffic with port 443 in its host header through. I haven't had to figure out how to get this working because kubectl port-forward has been sufficient to get at the admin console for the times I've needed to consult something, and you can't make changes anyway because they'll disappear when the pod restarts and a new one is started from the same (unchanged) image.

来源：https://stackoverflow.com/questions/63505087/problem-configuring-websphere-application-server-behind-ingress